SNOWLIGHT Malware
The China-linked threat actor UNC5174, also known as Uteus (or Uetus), has launched a new cyber campaign involving a modified version of the SNOWLIGHT malware and a new open-source Remote Access Trojan (RAT) named VShell. This operation targets Linux systems and employs advanced techniques to evade detection and attribution.
Table of Contents
Blending In: Open Source Tools as a Cover
Threat actors are increasingly relying on open-source tools to reduce costs and mask their activities. In this case, UNC5174 is using such tools to resemble low-tier, non-state-sponsored hackers, making it more difficult for defenders to trace the campaign back to a nation-state. This tactic has allowed UNC5174 to operate discreetly since its last known association with Chinese government-linked operations over a year ago.
A Familiar Arsenal: SNOWLIGHT and Its Role
Previously, UNC5174 exploited vulnerabilities in Connectwise ScreenConnect and the F5 BIG-IP software to deploy SNOWLIGHT, a C-based ELF downloader. This tool was used to retrieve GOHEAVY, a Golang-based tunneling tool, from infrastructure linked to SUPERSHELL—a publicly available C2 framework.
Toolset Expansion: GOREVERSE and New Attack Vectors
The group’s toolkit also includes GOREVERSE, a Golang reverse shell that communicates via Secure Shell (SSH). The French National Agency for the Security of Information Systems (ANSSI) recently observed similar tactics used in attacks on Ivanti Cloud Service Appliance (CSA) vulnerabilities, including CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.
Cross-Platform Threats: SNOWLIGHT and VShell Target macOS
Both SNOWLIGHT and VShell are capable of infecting Apple macOS systems. In October 2024, VShell was disguised as a fake Cloudflare authenticator app, suggesting a broader and more flexible attack infrastructure. This cross-platform capability increases the overall threat posed by UNC5174.
Unseen Entry Points: Attack Chain and Payload Deployment
In an attack observed in January 2025, SNOWLIGHT was used as a dropper to deliver VShell, a fileless in-memory RAT. The initial access method remains unknown, but once inside the system, a malicious script (download_backd.sh) is used to deploy two key binaries: dnsloger (SNOWLIGHT) and system_worker (Sliver). These tools help establish persistence and initiate communication with a C2 server.
Stealth and Control: The Final Stage with VShell
The final stage of the intrusion involves VShell being downloaded via a custom request to the C2 server. As a remote access Trojan, VShell grants attackers the ability to execute arbitrary commands and transfer files. Its fileless nature and use of WebSockets for C2 communications make it a particularly stealthy and dangerous tool in the attacker’s arsenal.
Conclusion: A Sophisticated and Evasive Threat
UNC5174 continues to pose a significant risk with its combination of open-source tools, sophisticated delivery methods, and stealthy payloads like SNOWLIGHT and VShell. Their ability to remain undetected while leveraging public tools and exploiting cross-platform vulnerabilities underscores the need for heightened vigilance and updated defensive strategies.
